Re: Chaffe variation- random sequence numbers

Adam Shostack (adam@homeport.org)
Wed, 25 Mar 1998 08:50:29 -0500 (EST)

• Next message: Adam Back: "Re: comparing CPUs running blowfish [Re: fastest blowfish.asm?]"
• Previous message: Eric Young: "Re: comparing CPUs running blowfish [Re: fastest blowfish.asm?]"
• In reply to: Peter Gutmann: "Re: comparing CPUs running blowfish [Re: fastest blowfish.asm?]"
• Next in thread: Bill Stewart: "Re: Chaffe variation- random sequence numbers"
• Reply: Bill Stewart: "Re: Chaffe variation- random sequence numbers"

        Is your scheme to replace the use of the MAC with a PRNG
sequencing, or combine the two? It seems to me that the first might
be equivallent in security, and the second might be a win.

        PRNG sequencing is actually not equivallent to Rivest's scheme
by itself, because it loses the property of seperability; Rivest's
scheme is exciting because it allows us to seperate encryption into
authentication and chaffing, both of which may be legitamate
operations. I don't see a legitimacy to resequencing someone elses
packets.

        Regarding the combination, I think that this is a win, but
your scheme reduces the security of Rivest's to either that of the MAC
or that of the PRNG. (If I can break the PRNG, I can use that to
seperate the wheat from the chaff.) If instead you send multiple
versions of each message, but with sequence numbers that are not of
use to the attacker, then he still needs to break the MAC to choose
the appropriate wheat.

        However, by forcing him to re-sequence, we may have a gain in
that the attacker can not use statistical techniques to select
probable bits. (Eg, every 8th bit should be a zero if you're sending
printable ascii text.) Its not clear that this selection of the 8th
bit gets you anything, but denying it to the attacker is probably not
a bad thing.

Brian Hurt wrote:
| I'm not sure if this has been thought of yet, but has anyone
| considered combining Rivest's Chaffing with random
| sequence numbers?
|
| The idea I had was that instead of having monotonically
| increasing sequence numbers, use a (cryptographically
| secure) pseudo-random number sequence based off of
| the MAC key. The chaff would, of course, have random
| sequence numbers based off a different sequence of
| pseudo-random numbers.
|
| If the receiver does windowing, the messages could be
| sent in a limited-random way. For instance, if the
| receiver can reorder up to n packets successfully, then
| the sender can send the next n packets in any order.
|
| The biggest problem I see with this is that it encodes (more)
| information about the MAC in the message sequence.
| I'm also not sure if the goverment would consider
| this encryption or not (the goverment not being known
| for using logic in it's decision making process).
|
| I don't speak for Bit 3.
| Brian
|

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Next message: Adam Back: "Re: comparing CPUs running blowfish [Re: fastest blowfish.asm?]"
• Previous message: Eric Young: "Re: comparing CPUs running blowfish [Re: fastest blowfish.asm?]"
• In reply to: Peter Gutmann: "Re: comparing CPUs running blowfish [Re: fastest blowfish.asm?]"
• Next in thread: Bill Stewart: "Re: Chaffe variation- random sequence numbers"
• Reply: Bill Stewart: "Re: Chaffe variation- random sequence numbers"